Fascinating and supports my suspicion that all blackberry is doing is
“controlling the entire channel” and there is nothing special here. I can
defeat the Saudi’s just as easily with an iPhone and a SSL certificate formy mail server.

Windows Mobile phones, android phones, and iPhones can use ActiveSyncprotocol, which uses 128bit or 256bit AES encryption from device to servervia SSL (over port 80). The different devices vary on their support for
256bit AES (some purposely don’t because it make things slower).

In other words depending on the devices chosen you can achieve an EQUAL
level of security with a non-blackberry phone. And as an extra positive
you have the keys, not blackberry.

It looks like the iPhone 4 is using 256bit AES, but that’s really
irrelevant, even governments cannot crack 128bit AES over SSL. Without
some sort of exploit it would still take every computer on the planet a
long time working together. NIST still stands behind the AES algorithm.

–Mike

Cos’è AES ?:

AES is based on a design principle known as a substitution-permutation network, combination of both substitution and permutation, and is fast in both software and hardware.[10] Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.

AES operates on a 4×4 column-major order matrix of bytes, termed the state, although some versions of Rijndael have a larger block size and have additional columns in the state. Most AES calculations are done in a special finite field.

The key size used for an AES cipher specifies the number of repetitions of transformation rounds that convert the input, called the plaintext, into the final output, called the ciphertext. The number of cycles of repetition are as follows:

10 cycles of repetition for 128-bit keys.

12 cycles of repetition for 192-bit keys.

14 cycles of repetition for 256-bit keys.

Each round consists of several processing steps, each containing four similar but different stages, including one that depends on the encryption key itself. A set of reverse rounds are applied to transform ciphertext back into the original plaintext using the same encryption key.

Just two days before Apple has disclosed a critical Security flaw in the SSL implementationon the iOS software that would allow man-in-the-middle attacks to intercept the SSL data by spoofing SSL servers.

Dubbed as CVE-2014-1266, the so-called ‘goto fail;’ vulnerability in which the secure transport failed to validate the authenticity of the connection has left millions of Apple users vulnerable to Hackers and Spy Agencies, especially like theNSA.

The title of that post may look crazy at first, but it’s not, it is entirely possible to convert your cheap 100M 8 port switch or stuff like that to a managed switch.

That’s possible simply because, if you open up one of these and look at the datasheet, you will find out that they use the same switch chips used frequently inside of routers ( which they can be reprogrammed as you like with openwrt ).

The switch i’ve used this time is a “digicom 10/100” switch, digicom is an italian rebrand of some other stuff probably, but anyway, let’s get straight to the point, below you can see the PCB of that switch

Now by taking a quick look at the datasheet some important things for that modification are easily found:

The switch chip can be programmed by pulling up or down it’s pins but only basic features are programmable that way

The switch chip can be programmed from the EEPROM ( which on that switch board is not present, but there are unpopulated pads for it ), for the switch to take in account the EEPROM , first two bytes must be 0x55AA

The switch chip can be programmed using a synchronous serial interface at pins MDC & MDIO, on the fly.
This one is the most useful one to create a managed switch

The serial interface is similiar to I2C but much simpler, it does not support multiple devices on the same bus and devices don’t have an address.
MDC Clock has to be generated from CPU side ( in that case an arduino ) , so you can operate it at whatever speed you want provided you don’t exceed maximum ratings.

Now once you know how to operate communicate with the switch it’s just matter of programming an arduino.
To do that, if you want just to test and you are going to power the arduino over usb. you are going to need to modify an USB cable to give arduino 3.3v instead of 5v.
You could also use a level shifter for that, but i prefer powering the entire arduino at 3.3v because it’s simpler and cheaper.
To power an arduino with 3.3v you can simple take an usb cable and cut red and black wires and insert a regulator between PC side and arduino side.

Arduino usb cable modification

After doing that modification, just adjust the regulator to give 3.3v and you are ready to go
On that switch , since again , we are lucky today, the IC pins of the serial management interface were already routed to an unpopulated header, on which i soldered a 3 pin strip header

The pinout is the following:
1 : GND
2 : MDIO
3 : MDC

MDIO must be pulled high using a 2.2k resistor or some similiar value, again, if you are using a level shifter instead of the 3.3 cable mod, be sure to connect pullup resistor to 3.3v and not 5V.
To protect I/O lines also add two 100 ohm resistors or 200 ohm at most between MDIO,MDC and arduino pins ( 2,3 )

After doing that the HW part is done, if you want to make it permanent, just buy an arduino pro mini ( NOT NANO ) , and an usb-serial, the two should be around $2 total, max 3$.
You can also easily find on the board the 3.3v power rail and power the pro-mini from there, DO NOT power the arduino pro mini from usb or use an arduino nano or you will fry everything.
When connecting usb-serial adapter to it you will only connect GND, RX, TX wires , also DTS if you want to be able to program it from usb.

Now let’s take a look of a basic software to have a managed switch which can save configuration on arduino eeprom and restore it at boot.

Arduino

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

#include <EEPROM.h>

#define MDIO 2

#define MDC 3

#define PHY30_REG13_PORT1_REMOVE_TAG 0x10

#define PHY30_REG13_VLAN_EN 0x8

voidoutBit(intb)

{

digitalWrite(MDC,LOW);

if(b==0)

digitalWrite(MDIO,LOW);

else

digitalWrite(MDIO,HIGH);

delayMicroseconds(1);

digitalWrite(MDC,HIGH);

delayMicroseconds(1);

}

intinBit()

{

digitalWrite(MDC,LOW);

delayMicroseconds(1);

unsignedintres=digitalRead(MDIO);

digitalWrite(MDC,HIGH);

delayMicroseconds(1);

returnres==HIGH?1:0;

}

unsignedintreadReg(unsignedintphyaddr,unsignedintregaddr)

{

intk=0;

unsignedintres=0;

pinMode(MDC,OUTPUT);

inBit();

inBit();//IDLE

pinMode(MDIO,OUTPUT);

pinMode(MDC,HIGH);

outBit(0);//START

outBit(1);

outBit(1);//READ

outBit(0);

for(k=4;k>=0;k--)

outBit((phyaddr>>k)&0x1);

for(k=4;k>=0;k--)

outBit((regaddr>>k)&0x1);

pinMode(MDIO,INPUT);

digitalWrite(MDIO,HIGH);//Pullup

inBit();//Z

inBit();

for(k=15;k>=0;k--)

res|=(inBit()<<k);

returnres;

}

voidwriteReg(unsignedintphyaddr,unsignedintregaddr,unsignedintvalue)

{

intk=0;

unsignedintres=0;

pinMode(MDC,OUTPUT);

inBit();

inBit();//IDLE

pinMode(MDIO,OUTPUT);

pinMode(MDC,HIGH);

outBit(0);//START

outBit(1);

outBit(0);//WRITE

outBit(1);

for(k=4;k>=0;k--)

outBit((phyaddr>>k)&0x1);

for(k=4;k>=0;k--)

outBit((regaddr>>k)&0x1);

outBit(1);//TA

outBit(0);

for(k=15;k>=0;k--)

outBit((value>>k)&0x1);

pinMode(MDIO,INPUT);

digitalWrite(MDIO,HIGH);

inBit();

inBit();//IDLE

}

voidsaveReg(unsignedinteebase,unsignedintphy,unsignedintreg)

{

unsignedintregval=readReg(phy,reg);

EEPROM.write(eebase,regval&0xff);

EEPROM.write(eebase+1,regval>>8);

}

voidloadReg(unsignedinteebase,unsignedintphy,unsignedintreg)

{

unsignedintregval=0;

regval|=EEPROM.read(eebase);

regval|=EEPROM.read(eebase+1)<<8;

writeReg(phy,reg,regval);

}

voidsaveSettings()

{

inti;

saveReg(2,30,13);

for(i=0;i<8;i++)

{

saveReg(4+i*2,30,3+i);

}

saveReg(20,30,12);

for(i=0;i<16;i++)

{

saveReg(22+i*2,30,14+i);

}

EEPROM.write(0,0x54);

EEPROM.write(1,0x78);

}

voidloadApplySettings()

{

inti;

if(EEPROM.read(0)!=0x54||EEPROM.read(1)!=0x78)

{

Serial.println("Invalid settings found, loading defaults");

writeReg(30,13,PHY30_REG13_VLAN_EN);//Enable vlan

for(i=3;i<11;i++)//All untagged packets from ports will have VID 1 by default

writeReg writes an entire register by submitting a write command together with phy address, reg address and the 16 bit value to write.

The switch itself works in a fairly simple way, you can assign which ports belongs to a VLAN ( that is independent from whether the packets will be tagged or not) and then you can configure how to treat untagged packet and what to do when a packet from a VID port group goes out of a port.

For example if you want to use port 1 as trunking port ( multiple vlan tagged networks on the same physical port ) , and you want to tag untagged traffic from ports 2,3,4 with vlan ids 2,3,4 you have to:

Assign ports 1,2 to VID 2

Assign ports 1,3 to VID 3

Assign ports 1,4 to VID 4

Set ports 2,3,4 to remove VLAN tags from outgoing packets

Set port 1 to add VLAN tag to outgoing packets

Set default VID for untagged traffic of port 2 to 2

Set default VID for untagged traffic of port 3 to 3

Set default VID for untagged traffic of port 4 to 4

With that configuration for example you will be able to connect 3 different networks to a single ethernet cable, which may be useful when you have a radio tower with multiple devices on it and only a single cable going to the ground equipment.

That’s just the beginning, similiar mods can in most of the cases be done on all switches and probably with more features on newer ( gigabit ones ) switches.

You could also use a raspberry to manage the switch instead of an arduino to be able to work on it from ethernet with some nice web interface.

When you buy an 898D soldering station there’s a very high chance that it is completely uncalibrated, leading to burnt/damaged parts and other kinds of problems since most of the times it is calibrated to give much higher temperature.

For that procedure you are going to need:

A cross-head screwdriver to open the 898D

A flat-head screwdriver at most 2 mm wide to rotate the potentiometers

A thermocouple thermometer

An IR thermometer

First of all , set both temperatures at 230 C° and disconnect the power cord because part of the board is directly connected to mains

To open the soldering station , remove the four screws around the front panel

Once removed the front panel you should have a board like the one below:

That board has two trimmers, one is to adjust smd rework gun , the other one is to adjust soldering iron temperature.

First start with hot air gun, after you made sure that no metal is touching the board and you are not touching the board, plug the power again, and heat a piece of paper with the hot air gun.Place on one side of the paper the hot air gun, on the other side an IR thermometer.If you read 220-235 C° it’s ok, if you read temperatures like 260 or 280 C° or 200 C° you definetely need to adjust it.To do that take a small flathead screwdriver and with the soldering station disconnected from mains if the air is hotter than it should be , rotate like 1-2 turns the potentiometer counter-clockwise, otherwise rotate it of the same amount clockwise, and plug again the power and check if the temperature is in an acceptable range, if not repeat the above step with smaller adjustements.

When you have done with hot air gun start working on the soldering iron, place some excess solder on it’s tip and put it in contact of a shielded thermocouple

Let it stay like 3-4 mins and then check the temperature reading of the thermocouple, if it is less than 210 C° or more than 240 C° you need to calibrate that too, proceed as follows:

If temperature is higher than it should be, rotate like 1/4 of turn the soldering iron potentiometer clockwise ( contrary to the hot air gun one ), you should do that with the power connected so BE VERY CAREFUL to not touch any part on the board except the potentiometer with the screwdriver when doing that.If the temperature is lower than it rotate it 1/4 of turn counter-clockwise.

If temperature was higher than needed, blow some air at the thermocouple+soldering iron tip to lower the temperature and wait for it to rise

After like 2 minutes, check if temperature still needs adjustement, if yes repeat from step1 with smaller rotations.

I’m using a pid controller as a thermometer because it’s the only thermocouple based thermometer that i have at the moment

The SITECOM WL-326 is an ethernet+3g router featuring 300 Mbps wireless and an usb port to connect a 3G modem.

This device is not officially supported by OpenWRT and not very common, so there’s basically zero info on it at the moment.

First thing is to find out which SoC it uses, since it is covered by an heat spreader, best idea that does not involve the risk of destroying the board is connecting an USB-TTL adapter to the serial port which is visible on the photos.

Luckly contrary to most cases, the PCB has already written on it which pins are RX,TX,GND, so it’s just matter of soldering a female o male strip header, and connect it to the adapter.

Serial port settings are 57600 8N1, and when connecting the power to the device, it’s immediately visible that it is a rebrand of another device, the ESR-6670 http://wiki.openwrt.org/toh/engenius/esr6670.
Still no luck, it’s not supported either, but at least now we know what SoC it uses, which is Ralink 3052.

Now the tricky part, bootloader only shows one option, contrary to most supported routers

1

2

3

4

5

6

7

8

9

Board:Ralink APSoC DRAM:32MB1*32MB

============================================

ASIC3052_MP2(Port5&lt;-&gt;None)

Product Name:ESR-6670

SDRAM CAS=3(d1835272)

============================================

Please choose the operation:

1:Load system code toSDRAM via TFTP.

So the only option is just to try it, worst case scenario if it goes wrong we’ll have to reverse engineer the (likely) jtag connector visible on the photo.

This command will ask you some parameters, first one is the router IP, just hit enter ( leaving it as it is )
second one is the TFTP server IP, a default one will be shown.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

Board:Ralink APSoC DRAM:32MB1*32MB

============================================

ASIC3052_MP2(Port5&lt;-&gt;None)

Product Name:ESR-6670

SDRAM CAS=3(d1835272)

============================================

Please choose the operation:

1:Load system code toSDRAM via TFTP.

1:System Load Linux toSDRAM via TFTP.

Please Input newones/orCtrl-Ctodiscard

Input device IP(192.168.99.9)==:

Input server IP(192.168.99.8)==:

Input Linux Kernel filename(40.7z)==:rd.bin

Using Eth0 device

TFTP from server192.168.99.8;our IP address is192.168.99.9

Filename'a.dlf'.

Loading:*

ArpTimeoutCheck

Got ARP REPLY,set server/gtwy eth addr(54:42:49:5f:d3:1b)

Got it

T#

first block received

Now connect an ethernet cable between a LAN port and your machine and ifconfig it to the router ip address

ifconfig eth0 up 192.168.99.8

or something like that.

Now you can hit enter, and then it will ask the linux kernel filename, which is WRONG, that’s not the linux kernel filename but the uImage filename.

Now the hard choice, finding a similiar enough device to flash this one with, and cross finger that it does not blow up, i’ve choosen the wr512 because it has too an usb port and an ethernet so, it’s worth trying.

Now, start a tftp server, quickiest way without spending 15 mins configuring with xinetd or crap like that is

dnsmasq –enable-tftp –tftp-root=/home/dev -d

If it fails because of port already in use, append -p 3244

If it started succesfully, enter the choosen filename ( rd.bin or whatever it is ) on the serial console and hit enter, now it should flash it and reboot, but you are not done yet, because this is an image designed to work only on RAM , so any config change will NOT be saved.

But since you should have an openwrt console now and the LAN ports configured to 192.168.1.1, ifconfig your machine’s interface to 192.168.1.2.

It will take like a min or two and then reboot automatically, after the reboot you will have the router at 192.168.1.1 again.

Now login to LuCI interface, go to Network->Switch and you should see two vlans configured , vlan1 which is lan configured with the first port untagged and vlan2 which is wan configured to some other port untagged.

Now change on vlan1 the first port ( left to right ) , to off , and on vlan2 the first port ( same as vlan1 ) to untagged, and click save & apply.
That’s because the router of which we flashed the firmware has the switch connected differently.

That’s it now you are done , you can configure wireless and other stuff, just forget about 3G unless you replace flash memory, because it is likely that there’s not enough space on flash ( unless you build a version without LuCI and with 3g and then configure with CLI ).

Update: It’s possible to install 3g packages and still have 52 kbytes free, not tested because i don’t have an USB 3g modem handy

I’m posting this pinout, because it can’t be easily found, and using a multimeter it takes a lot to figure out, like it did for me

MB Connector

Panel back connector

Description

1

2

3.3VDD

2

4

EDID eeprom power ( 3.3V)

3

6

EDID eeprom CLK

4

7

EDID eeprom DATA

5

28

VDD_EN ( Active high, 3.3v)

6

30

VLED_EN (Active high, 3.3v)

7

22

GND

8

8

LVDS Channel 0 –

9

9

LVDS Channel 0 +

10

11

LVDS Channel 1 –

11

12

LVDS Channel 1 +

12

14

LVDS Channel 2 –

13

15

LVDS Channel 2 +

14

22

GND

15

17

LVDS Clock –

16

18

LVDS Clock +

17

1

GND

18

5

Backlight PWM ADJ

19

25

Led VCC ( 5V )

20

24

Led VCC ( 5V )

If you are planning to reuse the panel with an MT6820 board, set the panel voltage to 3.3volts , connect 3.3VDD and VDD_EN together, and connect all the gnd pins to gnd too.
About the backlight, for me it worked leaving VLED_EN open ( unconnected ) and ADJ connected to the BL pin of the mt6820 ( brightness , unless i’ve swapped for error the pins , does not seem to work )

The whole thing will draw about 1A @ 5V, so if you get an Y cable with a switch ( to prevent the mt6820 from powering on too early ), you can run it from two usb ports

The correct jumper configuration for the board is with only A closed , and all other open